Fake ID flaw plagues millions of Android devices

A newly uncovered flaw in Google's Android OS could leave large numbers of mobile devices at risk from malicious apps that appear to be from trusted developers.

Named 'Fake ID' by Bluebox Security who uncovered it and notified Google of its presence, the vulnerability lets malicious applications impersonate specially recognised trusted applications without any user notification. Although a patch was issued in April it's likely that large many devices are still at risk.

The flaw can can be used by malware to escape the normal application sandbox and take one or more malicious actions. For example it could insert a Trojan horse into an application by impersonating Adobe Systems, gain access to NFC financial and payment data by impersonating Google Wallet, or take full management control of the entire device by pretending to be 3LM.

Fake ID has been present in Android versions from 2.1 to 4.4, although it was fixed in April as part of the latest patch, Google bug 13678484. Android KitKat is immune due to a change in the webview code. Millions of unpatched devices could still be at risk, however, Google's own statistics indicate that more than 80 percent of Android users are running older versions of the OS.

Fake ID works by exploiting a problem in the way Android uses digital IDs. Whilst the OS checks to see if an app has the right ID before granting privileges it doesn't check to see if that ID is properly issued, allowing forged ID codes to be used. It's also possible for a single app to carry multiple IDs making it possible to carry out several attacks.

Writing on Bluebox's blog chief technology officer Jeff Forristal says, "The problem is further compounded by the fact that multiple signers can sign an Android application (as long as each signer signs all the same application pieces). This allows a hacker to create a single malicious application that carries multiple fake identities at once, taking advantage of multiple signature verification privilege opportunities to escape the sandbox, access NFC hardware used in secure payments, and take device administrative control without any prompt or notification provide to the user of the device".